Suspicious Activity and Currency Transaction Reports: Why Management at Financial Institutions Must Maintain Compliance Controls

April 2009

Historic declines in the stock market, the credit crisis, and high-profile frauds have increased regulatory scrutiny on the financial services industry. Regulators and law enforcement authorities are not only investigating and prosecuting perpetrators of illegal activities, they are also turning their attention to financial institutions that fail to timely and accurately report warning signs of fraudulent activities. To help ensure you're in the clear, you must have an adequate compliance regime in place. What, when and how to report are described below.

Background: The Bank Secrecy Act

Enacted in 1970, the Bank Secrecy Act (BSA), 31 U.S.C. § 5318, is a powerful tool. Originally focused on money laundering, it has been amended multiple times. Regulators and law enforcement officials now use it to target more than 170 crimes. The most recent BSA amendments came after the September 11 terrorist attacks when Congress passed the USA PATRIOT Act. The current BSA framework tracks financial data to combat terrorism, the illicit drug trade, money laundering and other crimes involving the movement of funds.

The BSA requires financial institutions to self-monitor and report currency transactions and suspicious activities to the Financial Crimes Enforcement Network (FinCEN) using currency transaction reports (CTR) and suspicious activity reports (SAR), respectively. Financial institutions must file both CTRs and SARs using specified forms within specified time limits. They must also create and maintain "internal systems and controls" to ensure compliance with the reporting obligations. Financial institutions that fail to institute and maintain sufficient internal systems and controls may be criminally and civilly liable for failing to comply with the BSA.

What to Do Now

Your financial institution likely already has a BSA compliance regime in place, but you must continue to update it to satisfy new statutory and regulatory requirements. You should also monitor the results of law enforcement and regulatory actions as guidance regarding what internal controls your BSA compliance regime should include.

It is imperative that financial institutions (i) make sure that a compliance regime exists; (ii) proactively ensure the proper maintenance of that compliance regime; and (iii) remedy any defects that may exist in their present reporting programs. Failure to institute or maintain BSA compliance regimes to ensure the proper and timely submission of SARs and CTRs could lead to criminal prosecution, civil penalties, and shareholder derivative lawsuits.

Don't Let It Happen to You:

Liability for Failing to Report Fraud Warning Signs. Regulators and law enforcement officials will prosecute financial institutions that fail to timely and accurately report suspicious banking activity. For example, the U.S. Department of Justice investigated AmSouth Bancorporation and AmSouth Bank (collectively "AmSouth") after two businessmen running a Ponzi scheme opened custody accounts with it. Though AmSouth filed a SAR about these accounts, it delayed submitting the report until two years after it should have first discovered and reported the suspicious activity. In addition, DOJ found that AmSouth mischaracterized the suspicious activity in the SAR, and inaccurately reported the amount involved.

As a result of the DOJ investigation, AmSouth entered into a deferred prosecution agreement with DOJ in 2004 that included a $44 million criminal fine and a review of all transactions and account activity dating back several years. AmSouth also had to pay a $10 million civil penalty and faced cease-and-desist orders from the Federal Reserve. In addition to the criminal and civil penalties, AmSouth's directors were hit with a shareholder derivative suit.

Liability for Insufficient Compliance Regimes. Financial institutions must institute and maintain sufficient BSA compliance regimes. In 2004, victims of terrorism brought a civil action against Arab Bank, triggering a DOJ investigation that showed Arab Bank's New York branch transferred over $20 million to 45 different terrorists or terrorist groups. In February 2005, Arab Bank reached a consent agreement with the Office of the Comptroller of the Currency barring the bank from making any further transfers from its U.S. branch. Later that year, OCC and FinCEN fined Arab Bank $24 million for its breaches of the BSA causedby its"fail[ure] to implement sufficient internal controls and testing procedures to ensure compliance with the suspicious activity reporting requirements of the [BSA]."

What to Report

All financial institutions must report suspicious activities and currency transactions, including:

  • Deposits or withdrawals of $10,000 or more in a CTR.
  • A customer's effort to reduce the deposit or withdrawal below the $10,000 threshold. This triggers a mandatory CTR (a financial institution must complete the transaction as originally requested and must file a CTR). A customer's attempt to evade the CTR is defined as structuring and must be separately reported in a SAR.
  • A customer commits or admits a crime. In this instance, a financial institution must file a SAR if the crime involves or aggregates funds or other assets of at least $2,000.

Examples of "red flags" that should trigger further questions and possibly a SAR include:

  • A customer uses a fake identification document.
  • A customer makes a transaction that seems unusual based on past banking activity.
  • Multiple customers use similar identification documents.
  • Multiple customers seem to be working together to evade BSA requirements by dividing one transaction into two or more transactions.
  • A customer's transactions fall just below reporting or recordkeeping requirements.

When and How to Report

In addition to instituting programs to train employees to report suspicious activity and certain currency transactions, financial institutions must ensure employees are trained to make accurate, complete and timely reports. Filing incomplete SARs or not timely filing them can, as described above, have dire consequences. When implementing or re-evaluating a BSA compliance regime, it is essential to train employees to use the proper forms and complete them properly.


Your financial institution must be prepared for increased scrutiny; you should act now to implement or re-evaluate your BSA compliance regimes. Herrick's Financial Institution Practice Group can help you develop a new compliance regime, or review your current one to ensure it is sufficient. Should you receive law enforcement or regulatory inquiries, subpoenas for testimony, or subpoenas requesting documents, Herrick's White Collar Practice stands ready to help you protect your institution's interests, interface with law enforcement officials and regulators, and respond to subpoenas and other government inquiries.

Copyright © 2009 Herrick, Feinstein LLP. Banking Alert is published by Herrick, Feinstein LLP for information purposes only. Nothing contained herein is intended to serve as legal advice or counsel or as an opinion of the firm.